Just like you are going to find water before you find you have a leaking pipe, before a business discovers its data has been breached it is going to discover evidence that suggests there has been a breach. This is a critical time frame to “shut off the valve” because the decisions a business makes while the breach is being investigated will shape the risks, liability, and costs the business will face in the event the breach is confirmed. Businesses that fail to take the appropriate steps upon discovery of a breach only exacerbate the damages and create additional avenues of potential liability. Now that you know that, how are you going to know how to react unless you have a plan in place first? The answer is that you are not going to know how to react and, short of blind luck, you are going to make the problem worse. Plan now so you don’t regret it later.
If there is any suggestion that your data has been compromised, take steps to secure ALL of your data. Depending on how it is configured, this may mean moving data or employing a host of increasingly sophisticated ways to lock it down. If you cannot immediately identify the source of the alleged breach, just shut it down, or at least, shutdown as much as you can and as much seems reasonable?
Are you really saying I should “stop the presses” when I cannot even be sure is there’s been a breach? You bet I am, at least, sometimes. For some businesses, the reputational and legal risks of exposing additional data outweigh the costs of a temporary shutdown. According to the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company to investigate, notify customers/employees, and respond to a data breach was $3.5 million, and that figure is rising every year in most countries. The extent of a business’s loss often turns on when the business “knew or should have known” of a breach and what it did from that point forward. The key point is: you need to be sure you know of a breach at the time that the law says you should have known.
This does not mean you have to sound the alarm bell before you know or should have known of a breach. Businesses have a right, and a duty, to investigate circumstances that suggest their data has been exposed before the duty to serve notice arises, BUT the savvy business can mitigate risks and liability by, at least, closing suspect valves while it looks for the leak.
ShareholderAdam E. Gersh is a member of Flaster Greenberg's Labor and Employment and Litigation Practice Groups. He is also a member of the Board of Directors. He represents businesses and executives in employment and complex business disputes ...